Reviewed by Maciej.
Bug 19498: REGRESSION (r34497): crash while loading GMail
<https://bugs.webkit.org/show_bug.cgi?id=19498>
JavaScriptCore:
* VM/CodeGenerator.cpp:
(KJS::CodeGenerator::emitJumpIfTrueOptimized):
(KJS::CodeGenerator::emitJumpIfTrue):
* VM/CodeGenerator.h:
* kjs/nodes.cpp:
(KJS::DoWhileNode::emitCode):
(KJS::WhileNode::emitCode):
(KJS::ForNode::emitCode):
(KJS::CaseBlockNode::emitCodeForBlock):
LayoutTests:
* fast/js/logical-or-jless-expected.txt: Added.
* fast/js/logical-or-jless.html: Added.
* fast/js/resources/logical-or-jless.js: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@34500
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2008-06-11 Cameron Zwarich <cwzwarich@uwaterloo.ca>
+
+ Reviewed by Maciej.
+
+ Bug 19498: REGRESSION (r34497): crash while loading GMail
+ <https://bugs.webkit.org/show_bug.cgi?id=19498>
+
+ * VM/CodeGenerator.cpp:
+ (KJS::CodeGenerator::emitJumpIfTrueMayCombine):
+ (KJS::CodeGenerator::emitJumpIfTrue):
+ * VM/CodeGenerator.h:
+ * kjs/nodes.cpp:
+ (KJS::DoWhileNode::emitCode):
+ (KJS::WhileNode::emitCode):
+ (KJS::ForNode::emitCode):
+ (KJS::CaseBlockNode::emitCodeForBlock):
+
2008-06-11 Darin Adler <darin@apple.com>
Reviewed by Maciej.
return target;
}
-PassRefPtr<LabelID> CodeGenerator::emitJumpIfTrue(RegisterID* cond, LabelID* target)
+PassRefPtr<LabelID> CodeGenerator::emitJumpIfTrueMayCombine(RegisterID* cond, LabelID* target)
{
if (m_lastOpcodeID == op_less) {
int dstIndex;
}
}
+ return emitJumpIfTrue(cond, target);
+}
+
+PassRefPtr<LabelID> CodeGenerator::emitJumpIfTrue(RegisterID* cond, LabelID* target)
+{
emitOpcode(op_jtrue);
instructions().append(cond->index());
instructions().append(target->offsetFrom(instructions().size()));
PassRefPtr<LabelID> emitLabel(LabelID*);
PassRefPtr<LabelID> emitJump(LabelID* target);
+ PassRefPtr<LabelID> emitJumpIfTrueMayCombine(RegisterID* cond, LabelID* target);
PassRefPtr<LabelID> emitJumpIfTrue(RegisterID* cond, LabelID* target);
PassRefPtr<LabelID> emitJumpIfFalse(RegisterID* cond, LabelID* target);
PassRefPtr<LabelID> emitJumpScopes(LabelID* target, int targetScopeDepth);
generator.emitLabel(continueTarget.get());
RegisterID* cond = generator.emitNode(m_expr.get());
- generator.emitJumpIfTrue(cond, topOfLoop.get());
+ generator.emitJumpIfTrueMayCombine(cond, topOfLoop.get());
generator.emitLabel(breakTarget.get());
return result.get();
}
generator.emitLabel(continueTarget.get());
RegisterID* cond = generator.emitNode(m_expr.get());
- generator.emitJumpIfTrue(cond, topOfLoop.get());
+ generator.emitJumpIfTrueMayCombine(cond, topOfLoop.get());
generator.emitLabel(breakTarget.get());
generator.emitLabel(beforeCondition.get());
if (m_expr2) {
RegisterID* cond = generator.emitNode(m_expr2.get());
- generator.emitJumpIfTrue(cond, topOfLoop.get());
+ generator.emitJumpIfTrueMayCombine(cond, topOfLoop.get());
} else {
generator.emitJump(topOfLoop.get());
}
RegisterID* clauseVal = generator.emitNode(list->getClause()->expr());
generator.emitStrictEqual(clauseVal, clauseVal, switchExpression);
labelVector.append(generator.newLabel());
- generator.emitJumpIfTrue(clauseVal, labelVector[labelVector.size() - 1].get());
+ generator.emitJumpIfTrueMayCombine(clauseVal, labelVector[labelVector.size() - 1].get());
}
for (ClauseListNode* list = m_list2.get(); list; list = list->getNext()) {
RegisterID* clauseVal = generator.emitNode(list->getClause()->expr());
generator.emitStrictEqual(clauseVal, clauseVal, switchExpression);
labelVector.append(generator.newLabel());
- generator.emitJumpIfTrue(clauseVal, labelVector[labelVector.size() - 1].get());
+ generator.emitJumpIfTrueMayCombine(clauseVal, labelVector[labelVector.size() - 1].get());
}
RefPtr<LabelID> defaultLabel;
+2008-06-11 Cameron Zwarich <cwzwarich@uwaterloo.ca>
+
+ Reviewed by Maciej.
+
+ Test for:
+
+ Bug 19498: REGRESSION (r34497): crash while loading GMail
+ <https://bugs.webkit.org/show_bug.cgi?id=19498>
+
+ * fast/js/logical-or-jless-expected.txt: Added.
+ * fast/js/logical-or-jless.html: Added.
+ * fast/js/resources/logical-or-jless.js: Added.
+
2008-06-11 Sam Weinig <sam@webkit.org>
Reviewed by Adam Roben.
--- /dev/null
+This test checks whether the pair of opcodes (less, jtrue) is incorrectly optimized in a LogicalOrNode.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS result is true
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="resources/js-test-style.css">
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="resources/logical-or-jless.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
--- /dev/null
+description(
+"This test checks whether the pair of opcodes (less, jtrue) is incorrectly optimized in a LogicalOrNode."
+);
+
+var failMessage = "FAIL";
+var temp = failMessage || failMessage;
+var result = 1 < 2 || false;
+shouldBeTrue("result");
+
+var successfullyParsed = true;
git://git.webkit.org / WebKit-https.git / commitdiff